All posts

Secrets management

How do I find hardcoded secrets in my codebase?

A grep for 'password=' will find the obvious ones. The ones that actually cause breaches are usually in the places people don't check.

Last updated

Hardcoded secrets — API keys, database passwords, signing secrets — end up in source code more often than most teams assume, and they’re disproportionately common in AI-generated files: migration scripts, seed data, and quickly scaffolded config.

Check more than the current branch

A secret committed once and “removed” in a later commit is still sitting in your git history, retrievable by anyone with read access to the repo. Scan full git history, not just the working tree — tools like trufflehog and gitleaks are built specifically for this.

Wondering if your code has any of this? Scan a public repo free, no account needed.

Scan a repo →

Where AI-generated secrets actually hide

  • Database migration and seed files (password='password123' as test data that ships to production)
  • Config files with a real-looking key used “temporarily” during scaffolding
  • Test fixtures and mock data that reuse a real API key from a .env file the model could read
  • Comments left in by an AI tool showing an example value, copy-pasted from a real key

What to do once you find one

Removing the line is not enough — the secret is still valid and still in history. Rotate the credential first, then remove it from source and history. A removed-but-unrotated secret is still a live vulnerability.

Make it impossible to merge again

Add a secret-scanning check to your CI pipeline so a hardcoded credential blocks the pull request instead of reaching main. This is the difference between finding secrets occasionally and never shipping one again.

Prbl scans the AI-generated parts of your codebase for exactly the kinds of issues above.

Find what AI missed — free
How Do I Find Hardcoded Secrets In My Codebase? — Prbl